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Abstract 



Cousot and Cousot introduced and studied a general past/future-time specification 
language, called ff -calculus, featuring a natural time-symmetric trace-based seman- 
tics. The standard state-based semantics of the ff -calculus is an abstract interpretation 
l_J , of its trace-based semantics, which turns out to be incomplete (i.e., trace-incomplete), 

even for finite systems. As a consequence, standard state-based model checking of the 
| J} -calculus is incomplete w.r.t. trace-based model checking. This paper shows that any 

refinement or abstraction of the domain of sets of states induces a corresponding seman- 
tics which is still trace-incomplete for any propositional fragment of the -calculus. 
\ This derives from a number of results, one for each incomplete logical/temporal con- 

nective of the J2 -calculus, that characterize the structure of models, i.e. transition sys- 
tems, whose corresponding state-based semantics of the j2 -calculus is trace-complete. 

o ' 

O ' 1 Introduction 

Temporal specification languages used in automatic verification by model checking can be 
classified in two broad classes: linear and branching time languages. Linear-time languages 
allow to express properties of computation paths of the model, called traces, while spec- 
ifications of branching time languages describe properties that depend on the branching 
structure of the model. LTL and CTL are the most commonly used languages for, re- 
spectively, linear and branching time model checking. The relationship between linear and 
branching time languages has been the subject of thorough investigation since the 1980s 
(see [26] for a survey), in particular it is well known that LTL and CTL have incomparable 
expressive powers [2, 11, 18]. 

Given a linear specification <j), the standard universal model checking problem con- 
sists in characterizing the set MC y M (4>) of states s in a model M, i.e. a transition sys- 
tem (or a Kripke structure), such that any trace in M whose present time is s satisfies <f>. 
Hence, if [</>] = {(i,cr) 6 M \ (i,cr) |= <fi} denotes the trace semantics of qb, where in 
a trace (i, a), a is a Z-indexed sequence of states and i e Z denotes present time, then 
MC y M {4>) = {s £ States | V(i,cr) G M. (crj = s) =S> {i,a) G [0]}. Cousot and Cousot 
showed in their POPL'OO paper [10] that this can be formalized as a step of abstraction 
within the standard abstract interpretation framework [8, 9]. In fact, Cousot and Cousot 
[10] consider the universal path quantifier cv M : p(Traces) — > p(States) which maps 
any set T of traces to the set of states s £ States such that any trace in M with present 
state s belongs to T and show that is an approximation map in the abstract inter- 
pretation sense. Hence, is called the universal model checking abstraction because 
MC^ f (0) = a^f ([<?!>]). Dually, one can define an existential model checking abstrac- 
tion off : p(Traces) — * p(States) that formalizes standard existential model checking: 
ctf j (T) provides the set of states s G States such that there exists a trace in M with present 
state s which belongs to T, According to the standard abstract interpretation methodology, 
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this universal abstraction gives rise to an abstract state semantics of a linear language and 
thus transforms the trace-based universal model checking problem to a state-based uni- 
versal model checking problem. Basically, the universal state-based semantics [</>]^ tat0 of 
a linear formula <j> is obtained by abstracting each linear temporal operator appearing in 
<fr, like next-time or sometime operators, to its best correct approximation on p(States) 
through the abstraction map af 4 . This abstract semantics [</>]^ ta tc °f <fr coincides with the 
state semantics of the branching time formula <py obtained from <p by preceding each linear 
temporal operator occurring in <fi by the universal path quantifier. In Cousot and Cousot's 
work [10] formulae range over a past- and future-time temporal language which gener- 
alize Kozen's /i-calculus. Hence, this allows to transform the trace-based model check- 
ing problem M, s |= t racc <fr, i- e - s £ "mCM)' t0 a state-based model checking problem 

M, S Estate 0, i-e. S £ [<Cate- 

It should be clear that the state-based model checking is a sound approximation of the 
trace-based one, namely: 

M, S Estate <fr =>■ M,S htrace (fr- 
it should be noted that in abstract interpretation soundness is guaranteed by construction, 
namely [</>]^ tat0 C c^ M ([</>]) always holds. However, it turns out that this abstraction is 
incomplete, that is, the reverse direction does not hold, even for finite-state systems. We 
will provide later an example for this phenomenon. Let us remark that when [</>]^ tat0 — 
a \i{\<P\) holds for some linear formula <j>, Kupferman and Vardi [17, 25] say that the 
formula cfr is branchable. Branchable formulae have been used by Kupferman and Vardi 
for studying how model checking of a LTL formula <f> can be reduced to an equivalent 
model checking of the corresponding CTL formula <fry. 

The above incompleteness means that universal model checking of linear formulae can- 
not be reduced with no loss of precision to universal model checking on states through the 
universal abstraction. This also means that classical state-based model checking algorithms 
(e.g. for CTL) do not provide exact information w.r.t. a trace-based interpretation. This 
opens the question whether it is possible to find some different approximation A of the 
trace-based model checking problem which (1) is still related to states, namely A refines 
or abstracts from sets of states, and (2) induces an approximated model checking which is 
instead equivalent to the trace-based one: for any s e States and any linear formula <fr, 

M, S \= A 4> & M, S Kracc <fr- (*) 

It is important to remark that we do not consider generic approximations of traces, but only 
approximations that can be obtained by refinements or simplifications of sets of states, 
namely of the domain p(States). Let us notice that the trivial abstraction Trivial = {_!_}, 
i.e. the abstraction carrying no information at all by confusing all the traces, i.e. ^Trivial (T) = 
_L for any set T of traces, satisfies the above equivalence because we always have that 
[0] Trivial = J- = QTriviai ( 14>} ) • More precisely, the paper answers the following question: 
is it possible to minimally refine or abstract the state-based semantics of a general temporal 
languages so that this refinement/abstraction induces a corresponding approximated model 
checking which is trace-complete, i.e. equivalent to the trace-based model checking? In 
our approach, refinements and abstractions of a semantics are intended to be specified by 
standard abstract interpretation [8, 9]. This paper provides the following results: 

(i) the only refinement of the state-based semantics inducing a trace-complete model 
checking is the trace-based semantics itself; 

(ii) on the opposite direction, the only abstraction of the state-based semantics inducing 
a trace-complete model checking is the trivial semantics carrying no information at 
all; 



2 



(iii) for each basic temporal/logical operator of a past- and future-time extension of Kozen's 
^-calculus we characterize the least trace-complete abstractions which, respectively, 
include and are included in the state-based semantics. 

Points (i) and (ii) prove that states are, so to say, "intrinsically trace-incomplete", since there 
is no way to obtain a trace-complete model checking by modifying, through refinements or 
abstractions, the state-based semantics. 

The Scenario. As mentioned above, our results are formulated and shown within the 
Cousot and Cousot's [10] abstract interpretation-based approach to model checking called 
temporal abstract interpretation. Cousot and Cousot [10] introduced an enhanced past- and 
future-time temporal calculus, called ft -calculus, which is inspired by Kozen's /z-calculus. 
The trace-based semantics of the ^/-calculus is time-symmetric: this means that execution 
traces have potentially infinite length both in the future and in the past. This time symmetry 
is not the only feature of the ft -calculus. The ft -calculus also provides a tight combination 
of linear and branching time, allowing to derive classical specification languages like LTL, 
CTL, CTL* and Kozen's ^-calculus itself, as suitable fragments. 

One main achievement in [10] is that state-based model checking of transition systems 
(or Kripke structures) can be viewed as an abstract interpretation of the trace-based se- 
mantics. It is worth mentioning that this abstract interpretation-based approach has been 
applied to a number of temporal languages by Schmidt [24] and also to the case of modal 
Kripke transition systems by Schmidt [24] and Huth et al. [15]. The semantics [</>] tra ce of a 
temporal specification <f> G ft is the set of traces in the model M making <f) true. States are 
viewed as a universal abstract interpretation of traces through the universal concretization 
-fXi ■ p{States)z) — ► p(Traces)z> defined by 

^{S) = {(i,a)eM\a i eS}. 

This maps 7^ induces an abstract interpretation together with its adjoint universal abstrac- 
tion a\ { : p( Traces) — ► p(States) defined by 

ocm(T) — {s G S I for any trace (i, a) G M, if a t = s then (i, a) G T}. 

This abstract interpretation systematically induces a state-based semantics |[-]g tate : ft — > 
p(States): for example, for an atomic proposition p, 

MLte = <(b]trace) 
[AXp]L to = a V M o X o 7 ^(MLtc) = P?UbEate) 

where X is the next-time transformer on traces and prc^ is the standard "universal pre" 
transformer of states w.r.t. the transition relation -> of the model M. The abstract inter- 
pretation approach ensures that [-]^ tate is sound by construction with respect to the trace 
semantics: for any <f> G f} : 

MLte Q O&dfltrace). 

However, as proved in [10], this inclusion may be strict and this means that the state-based 
model checking of the ^/-calculus is trace-incomplete, namely the above equivalence (*) 
does not hold. Let us recall an example of incompleteness from [10]. 

Example 1.1. Consider the following minimal transition system M: 
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and consider the linear formula <\> = Gp V FGq. We have that 



[Gp] tra cc = {(*, <r> G M | Vj > i. (j, a) G [p] traco } = {(i, • ■ ■ 1 1 1 • ■ ■> e M I * G Z} 

[FGg] tra cc = G M I 3j >l.Vk> j. (k, a) 6 Mtrace} 

= {(i, ■■■ 1 1 1 2 2 2 • • •) G M | i G Z} U {(i, • • • 2 2 2 • • •) G M | i G Z}. 

Thus, [0]traco = M, so that a^f ([</>] trace) = {1,2}. On the other hand, we have that 
the state semantics [0]g tate is given by the state semantics of the CTL formula </v = 
AGp V AFAGg. Thus, it turns out that [0]^ tatc = {2} because in M: (i) it is possible to 
jump from state 1 to state 2 so that [AGp] = and (ii) it is possible to stay forever in state 
1 so that [AFAGg] = {2}. As a consequence, 

M, 1 Kracc while M i 1 Estate <t> 

namely, the universal state-based model checking of state 1 for <f) is trace-incomplete. □ 

The same phenomenon holds even for standard, i.e. partition-based [6, 7], or generic, 
i.e. abstract domain-based [10, 13, 21, 22], abstract model checking where the abstraction 
map actually is a state-abstraction and can be modeled as a further abstract interpretation 
step of [-Jstate- ^ is therefore important in order to understand the limits of state-based 
(concrete or abstract) model checking with respect to properties of traces, to investigate 
whether it is possible to find a semantics [•]? as a refinement or abstraction of [-Jstatc 
which is complete for the trace-based semantics [■] trace- 
Complete Core and Shell. Our main goal is that of isolating the least refinements and 
abstractions of the state-based model checking, i.e. of p(States) viewed as abstract domain 
of p{ Traces) through the universal abstraction , which are trace-complete. 

Let us recall that an abstract domain A = a(Concrete) together with an abstract se- 
mantics /" : A — > A is complete for a semantic function / : Concrete — ► Concrete when 
a (f( c )) = fH a ( c )) holds for any concrete c. Thus, completeness means that abstract 
computations by /" are as precise as possible in the abstract domain A. Giacobazzi et al. 
[12] observed that completeness actually depends on the abstract domain A only, because 
it is enough to consider the best correct approximation a o f o 7 of / as abstract semantics. 
Thus, it turns out that completeness is an abstract domain property: A is complete for / iff 
the equation aof = aofojoa holds. Hence, this opens up the key question of making 
an abstract interpretation complete by minimally extending or restricting the underlying 
abstract domain. Following the terminology in [12], we call complete shell/core of A the 
most abstract/concrete domain, when this exists, which refines/abstracts A and is complete 
for /. Thus, complete shells add to an abstract domain the minimal amount of information 
in order to make it complete, while complete cores act in the opposite direction by remov- 
ing the minimal amount of information in order to achieve completeness. As shown in [12], 
complete cores always exist, while complete shells exist under the weak hypothesis that the 
concrete semantics / is Scott-continuous. Furthermore, complete cores and shells enjoy a 
constructive fixpoint characterization. While it should be clear that completeness could 
be achieved by refining abstract domains, perhaps it is somehow surprising that also by re- 
moving information from an abstract domain one could reach the completeness property. In 
this case the abstraction is intended to remove from an incomplete abstract domain exactly 
the source of incompleteness. Let us consider a simple example to illustrate this. Con- 
sider the following abstract domain of signs Sign+ = {Z, [0, +00], [-00, 0], [0, 9], [0]}, 
which additionally to sign information also represents precisely the interval [0, 9]. It turns 
out that Sign + is not complete for integer multiplication: for example, 2 x 3 is approx- 
imated in Sign + by [0,9] while the abstract multiplication a Sign + (2) x Slgn ot Sign +(3) 
gives [0, +00]. However, Sign — {Z, [0, +00], [—00, 0], [0]}, which is an abstraction of 
Sign + , turns out to be complete for multiplication. Even more, Sign is the most concrete 
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domain which abstracts Sign + and is complete for multiplication, namely Sign is the com- 
plete core of Sign + for multiplication. Hence, the complete core isolated and removed 
from Sign + the abstract value [0, 9], which was the unique source of incompleteness. 

Main Results. We characterize the complete core and shell of the universal state domain 
p(States) for all the trace transformers of the ^/-calculus which are sources of incomplete- 
ness: negation, next-time, time-reversal and disjunction. We also characterize the structure 
of transition systems such that the universal state-based model checking is complete for 
next-time and time-reversal. In particular, disjunction turns out to be the crucial connec- 
tive. In fact, the trace-complete shell of the universal state domain for the disjunction 
operation is (essentially) the domain of traces itself, while the trace-complete core is the 
trivial abstraction of states carrying no information at all. Let us point out that one re- 
markable feature of our abstract interpretation-based approach lies in the fact that it is fully 
constructive, namely we exploit general abstract interpretation results that always provide 
complete cores and shells in fixpoint form. 

On the basis of this analysis, we show that for the ft -calculus: 

(1) The most abstract refinement of the domain of states that induces a model checking 
which is trace-complete results to be the domain of traces itself. 

(2) The straightforward abstraction to a non-informative singleton is the unique abstrac- 
tion of the domain of states (and hence of the domain of traces) which induces a 
trace-complete model checking. 

(3) For each basic temporal/logical operator of the ft -calculus we constructively char- 
acterize the complete core and shell of the state abstraction for traces. These results 
provide the basis for isolating fragments of the ft -calculus which have nonstraight- 
forward trace-complete shells and cores of states. 

These results prove that there is no way to get a complete approximation of the trace-based 
semantics by either refining or approximating the state-based model checking for the entire 
ft -calculus, emphasizing the intrinsic limits of the precision of state-based model checking 
with respect to the trace-based semantics. Moreover, since abstract model checking can 
be viewed as abstract interpretation of [-] s t a te (cf. [10]), this also implies that any abstract 
model checking is intrinsically incomplete with respect to the trace-semantics of the ft - 
calculus. 

2 Abstract interpretation and model checking 
2.1 Notation 

If X is any set then Cl n ,Cl u : p(p(X)) — > p(p{X)) denote, respectively, the oper- 
ators that close any subset Y G p(p(X)) under arbitrary intersections and unions, e.g. 
Cl n (r) = {OS* | S C Y}. Note that X e Cl n (r) and e C1 U (F) because X = D0 
and = U0. If S C X then ->S denotes the complement of S in X. 

A poset P w.r.t. a partial ordering < is denoted by (P, <) or P<. We use the symbol 
C to denote pointwise ordering between functions: if X is any set, P< a poset, and /, g : 
X -> P then / C g if for all x e X, f(x) < g(x). If P is a poset and X C P then 
max(X) = {i e I | Vj £ X. x < y x = y}. We denote by lfp(/) and gfp(/) 
(or by lfp— (/) and gfp-(/) to emphasize the partial ordering <), respectively, the least 
and greatest fixpoint, when they exist, of an operator / : P — ► P on a poset P<. It 
is well known that if (C, <, V, A, T, _L) is a complete lattice (actually, a CPO would be 
enough) and / : C — > C is monotone than both lfp(/) and gfp(/) exist and the following 
characterizations hold: 

lfp(/) = A{x e C | f{x) < x}, gfp(/) = v{xeC\x< f(x)}. 
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It also well known that if / is continuous — i.e. / preserves lub's of directed subsets 
or, equivalently, of ascending chains — then lfp(/) = Vi e mf t (±.), where the sequence 
{P( x )}ieN, for any x G C, is inductively defined by f°(x) d = x and ,f +1 (x) = f f(f l (x)). 
Dually, if / is co-continuous then gfp(/) = Ai^nf l (T). A function / : C — > C is (finitely) 
additive when / preserves lub's of (finite) arbitrary subsets of C, while co-additivity is 
dually defined. 

2.2 Abstract interpretation and completeness 
2.2.1 The lattice of abstract domains 

In standard abstract interpretation [8, 9], abstract domains can be equivalently specified 
either by Galois connections/insertions (GCs/GIs) or by (upper) closure operators (uco's). 
These two approaches are equivalent, modulo isomorphic representations of domain's ob- 
jects. The closure operator approach enjoys the advantage of being independent from the 
representation of domain's objects: in fact, an abstract domain here is given as a func- 
tion on the concrete domain of computation. This feature makes closures appropriate for 
reasoning on abstract domains independently from their representation. Given a complete 
lattice C<, playing the role of concrete domain, recall that p : C — > C is a uco when 
p is monotone, idempotent and extensive (viz. x < p{x)). We denote by uco(C) the 
set of uco's on C. Let us recall that each p G uco(C) is uniquely determined by the 
set of its fixpoints, which is its image, i.e. img(p) = {x G C p{x) — x}, because 
p = Xx. A {y G C | y G img(p), x < y}. Moreover, a subset X C C is the set of 
fixpoints of some uco on C iff X is meet-closed, i.e. X = M(X) = {AY Y C X} 
(note that T c = A0 G M(X)). Note that when C = p(S)c/d, for some set S, then 
M = Cl n /Cl u . Often, we will identify closures with their sets of fixpoints. This does not 
give rise to ambiguity, since one can distinguish their use as functions or sets according to 
the context. It is well known that uco(C) endowed with the pointwise ordering C, gives 
rise to the complete lattice (uco(C), C, U, Aa;.T, id). It turns out that pointwise ordering 
between uco's corresponds to superset ordering of the corresponding sets of fixpoints, i.e., 
P E P iff img(Ai) C img(p). Let us also recall that for any p G uco(C) and X C C, 
p(VX) = p(\/ xe xp(x)), and for any set of closures {pi}iei C uco(C): 

^ieiPi = ^ieiPi', n ieI pi = M(U ieI pi); H ieI pi = Xx. A ie j pi{x). 

We denote by (a, C, A, 7) a GC/GI of the abstract domain A into the concrete domain 
C through the abstraction and concretization maps a : C — > A and 7 : A — > C. Thus, 
a and 7 need to form an adjunction between C and A: a(c) <c a a <a J (a). The 
map a (7) is called the left (right) adjoint of 7 (a). Let us recall that it is enough to specify 
either the abstraction or the concretization map because in any GC the left/right adjoint map 
uniquely determines the right/left adjoint map: on the one hand, any a : C —> A admits a 
necessarily unique right adjoint 7 : A — > C defined by 7(a) = Vc{c G C | a(c) <a a} 
iff a is additive; on the other hand, any 7 : A — > C admits a necessarily unique left adjoint 
a : C — > A defined by a(c) = Aa{o. G A | c <c 7(0)} iff 7 is co-additive. Recall that 
a GC is a GI when a is onto or, equivalently, 7 is 1-1. In abstract interpretation terms, 
this means that A does not contain useless abstract values, namely objects in A which 
are not abstractions of some concrete object in C. Let us recall that pa = 7 ° a is the 
uco corresponding to the GC (a, C, A, 7) and, conversely, any p G uco(C) induces a GI 
(p, C, img(p), id). Moreover, these two constructions are one the inverse of each other. By 
this equivalence, throughout the paper, (uco(C), C) will play the role of the (complete) 
lattice of abstract domains of the concrete domain C. The pointwise ordering on uco(C) 
corresponds to the standard order used to compare abstract domains with regard to their 
precision: A\ C A2 in uco(C) encodes the fact that A\ is more precise or concrete than 
A 2 or, equivalently, A 2 is less precise or more abstract than A\; in this case, we also say 
that A\ is a refinement of A 2 and A 2 is a simplification or abstraction of A\. Lub's and 
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gib's on uco(C) have therefore the following reading as operators on abstract domains. 
Let {Ai} ie i C uco(C): (i) U ie jAi is the most concrete among the domains which are 
abstractions of all the Ai's; (ii) r\ ieI Ai is the most abstract among the domains which are 
more concrete than every Ai — this domain is also known as reduced product of all the 

A^s. 



2.2.2 Complete abstract domains 

Let (a, C, A, 7) be a GI, / : C — > C be some concrete semantic function — for sim- 
plicity of notation, we consider here 1-ary functions — and /" : A — > A be a corre- 
sponding abstract semantic function. Then, (A, /") is a sound abstract interpretation, or 
/" is a correct approximation of / on A, when ao/C/'oa. The abstract function 
f A = a o / o 7 : A — > A is called the best correct approximation of / in A. Complete- 
ness in abstract interpretation [8, 12] corresponds to require the following strengthen- 
ing of soundness: a o / = /" o a. Hence, in addition to soundness, completeness cor- 
responds to require that no loss of precision is introduced by the abstract function /" on 
an approximation a(c) of a concrete object c G C with respect to approximating by a 
the concrete computation /(c). As a very simple example, let 

us consider again the abstract domain Sign representing the sign ^ Sign 

of an integer variable. Let us also consider the binary concrete ^ ^ 
operations of integer addition and multiplication lifted to sets of ^ ~° 

integers in p(Z), e.g., X+Y = {x + y \ x E X, y E Y}. Hence, [qj 
it turns out that the best correct approximation -\- s% 9 n n Sign of 

integer addition is sound but not complete because a{{ — 1} + {1}) = a({0}) = [0] <si gn 
Z = Z< + Sl 3 n Z> = a({-l})+ Si3n a({l}). On the other hand, it is immediate to note 
that the best correct approximation of integer multiplication is instead complete. 

Let us recall that completeness lifts to least fixpoints, i.e., if (A, /") is complete then 
a(lfp(/)) = lfp(/"). Completeness is an abstract domain property because it only depends 
on the abstract domain: in fact, it turns out that (A, /") is complete iff (A, f A ) is complete. 
Thus, completeness can be equivalently stated as a property of closures: A is complete iff 
a o f = f A o a iff -y o a o f = j o a o f o -y o a. Thus, for abstract domains specified 
as closure operators, an abstract domain p E uco(C) is defined to be complete for / if 
P / = P f P- More in general, the definition of completeness is extended to any set 
F of semantic functions by requiring completeness for each / G F. Throughout the paper, 
we will adopt the following notation: T(C, f) = {p G uco(C) | p is complete for /}, so 
that for a set F, T(C, F) = n feF T(C, /). The following property will be useful later on. 

per(c,.f) iff P er(c,{fM (*) 

In fact, let us show that by induction on n G N that if p G T{C, /) then for any n G N, 
p G r(C, /"). The case n = amounts to p G T(C\ Xx.x) which is trivially true. For 
n + 1 we have that: p o f n+1 = (since p G T(C, /)) = p o / o p o /" = (by inductive 
hypothesis) = po/opo/ n op = (since p G T(C, f)) = pofof n op = po f n+1 o p. 

Let us also recall that, by a well-known result (see, e.g., [9, Theorem 7.1.0.4] and [10, 
Section 6]) complete abstract domains are "fixpoint complete" as well. This means that if 
p G r(C, /), where / is monotone, then lfp(p o /) = p(lfp(/)). Moreover, if either p does 
not contain infinite descending chains or p is co-continuous then this also holds for greatest 
fixpoints, namely gfp(p o /) = p(gfp(/)). 



2.2.3 Complete core and shell 

The fact that completeness is an abstract domain property opens the question of mak- 
ing an abstract interpretation complete by minimally extending or, dually, restricting the 
underlying abstract domain. Following [12], given a set of concrete semantic functions 
F C C — > C and an abstract domain A G uco(C), the complete shell (respectively, core) of 
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A for F, when it exists, is the most abstract (respectively, concrete) domain A s G uco(C) 
(respectively, A c G uco(C)) which extends (respectively, restricts) A and is complete 
for F. In other words, the complete shell, respectively core, of A characterizes the least 
amount of information to be added to, respectively removed from, A in order to get com- 
pleteness, when this can be done. Complete shell and core of A for F are denoted, re- 
spectively, by Shellp (A) and Corc F (A). Thus, a complete shell Shelly (A) exists when 
U{A' G uco(C) | A 1 C A, A 1 G r(C, F)} G T(C, F), while a complete core Core F (A) 
exists when n{A' e uco(C) | A C A', A' G T(C, F)} G r(C, F). 

These problems were solved by Giacobazzi et al. [12] who gave a constructive charac- 
terization of complete shells and cores. Given a set of functions F C C — > C, the abstract 
domain transformers L F , i? F : uco(C) — > uco(C) are defined as follows: 

L F {rf) d = f {y G C | U feF max({x G C | /(*) < y}) C ^} 
R F ( V ) = M(U /eF , ye „max({x G C | /(*) < y})). 

Theorem 2.1 (Giacobazzi et al. [12]). Let F be a set of continuous functions and p G 
uco(C). Then, p G T(C,F) iff L F (p) C p iff p C R F (p). Moreover, the complete shell 
and core of p for F exist and are constructively characterized as follows: 

Shellir(p) = n ieN R F (p), Core F (p) = U ieN L F (p). 

Thus, the complete shell of p for F can be obtained by iteratively adding to p the image 
of the transformer R F on the current domain, while the complete core can be obtained by 
iteratively removing from p the elements that are not in the image of the transformer L F 
on the current domain. 

Example 2.2. Let us consider again the abstract domain Sign + which abstracts p(Z)c and 
the square operation on sets of integers sq : p(Z) — > p(Z) ^ ^ + 

such that sq(X) = {x 2 \ x G X}. It turns out that Sign + is / \ 

not complete for sq: in fact, p S i gn +{ S( l{Psign+ ([0,3]))) = Z< Z> 
Psi»n+(s9([0,9])) = Z, while p Slgn + (sq([0, 3])) = 
Psi 3 n+({0, 1,4,9}) = [0,9]. Theorem 2.1 tells us that the 
abstract element [0, 9] is a source of incompleteness: in fact, 
we have that max({X G p(Z) | sq(X) C [0,9]}) = [-3,3] 
^ Psign+ so that R sq {psign+) % Psign+- Moreover, [0, 9] is the unique source of incom- 
pleteness in Sign + because: 

max({X G p(Z) | sq(X) C Z}) = Z G p Sl9 „ + 

max({X G p(Z) | sg(X) C Z< }) = {0} G p Siffn+ 

max({X G p(Z) | sg(X) C Z> }) = Z G p Slgn + 

max({X G p(Z) | sq(X) C {0}}) = {0} G p Sl9 „+ 

Thus, by Theorem 2.1, we have that Coie sq (Sign + ) = Sign. □ 

When / : C —> C is a mere monotone function in general the complete shell of an 
abstract domain for / may not exist, while the complete core of an abstract domain for / 
always exists even if it cannot be constructively characterized by Theorem 2.1. 

Remark 2.3. Let F be a set of additive functions. Then, any F 3 f : C — > C admits a 
right adjoint f r : C —> C defined by f r (y) = V{x G C | f(x) < y}. In this case, the 
operators L F and R F can be simplified as follows: 

L F ( V ) = {yeC\ {f r (y) | / G F} C V }; R F (rj) - M({f r (y) \ y G V , f G F}). 
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2.3 Temporal abstract interpretation 

Let us recall the basic notions and definitions of Cousot and Cousot's [10] temporal abstract 
interpretation framework (see also Schimdt's paper [24]). § is any given, possibly infinite, 
set of states. Discrete time is modeled by the whole set of integers and therefore paths of 
states are time-symmetric, in particular are infinite also in the past: P = Z — > S is the set 
of paths. As usual, an execution path with an initial state s can be encoded by repeating 
forever in the past the state s. Traces keep track of the present time, so that T = Z x P is 
defined to be the set of traces. We denote by <Ji G § the present state of a trace (i, a) G T. 
The trace-semantics of a temporal formula <j> will be a temporal model, namely the set of 
traces making cf> true. 

Temporal models will be generated by transition systems or Kripke structures, encoding 
some reactive system. The transition relation -» C § x § is assumed to be (backward and 
forward) total, i.e., Vs G S.3s' G S.s->s' andVs' G 8.3s G S.s^s'. This is not restrictive, 
since any transition relation can be lifted to a total transition relation by adding transitions 
s -> s for any state s which is not reachable (i.e., an initial state) or which cannot reach 
any state (i.e., a final state). The model generated by a transition system (S, ->} is therefore 
defined as = {(i, a) G T | i G Z, Vfc G Z. <7fc ^crfe+i}- The pre/post transformers on 
p(S) induced by (§, ->) are defined as usual: 

- prc^(F) = {a G § | 36 G Y. a -y b}; 

- pTe^(F) = ->(pre^(-.y)) = {a G § | Vfe G S.(a -> b => b G Y)}; 

- post^(y) = {6G§|3aGr. a^b}; 

- post_>(r) = ->(post^(-iF)) = {b G § | Va G S.(a -> b => a G K)}. 

The forward closure Fd : p(T) p(T) is defined as Fd(X) = {(i, a) G T | 3(i, t) G 
XVj > i.<7j - 7j-}. Dually, Bd(X) = {(*, a) G T | 3(i,r) G X.Vj < i.o-j - r,} is 
the backward closure of I e p(T). A set of traces X is forward (backward) closed when 
Fd(X) = X (Bd(X) = X), while X is state closed when X is both forward and backward 
closed. Thus, X is forward (backward) closed when the past (future) does not matter, while 
X is state closed when the present only matters. 

The reversible ^/-calculus was introduced by Cousot and Cousot [10] as a past and 
future time-symmetric generalization of the ^i-calculus, with a trace-based semantics. For- 
mulae (f> of the reversible j} -calculus are inductively defined as follows: 

<P ::= ct s | 7T t | X <p | <p^ | 0i V (f> 2 | -0 | | | V0i : 2 

where 5 G p(§), i G p(S x S) and leX, for an infinite set X of logical variables. The 
set of jj* -calculus formulae is denoted by £^ . 

Let us give the intuition for the operators of the J} -calculus. 0-5 stands for a state 
atomic proposition which holds in traces whose present state is in S. n t stands for a 
transition atomic proposition which holds in traces whose next step is a transition in t. 
^ is time-reversal that allows to express past/future time modalities from corresponding 
future/past time modalities. © is the linear temporal next operator (usually denoted by X). 
Finally, V is a generalized universal quantification with two arguments. 

Let us recall the trace-semantics for the ^/-calculus. E ^ f X — > p(T) denotes the set 
of environments over X. Given £ G E, X G X and N G p(T), £[X/N] G E is the 
environment that acts as £ in X \ {X} and maps X to N. The ^/-calculus semantics 
[•] : — > E — > p(T) is inductively and partially — because least or greatest fixpoints 
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could not exist — denned as follows: 

d = f I/^K = lfp(A^V e p(T)#]£LY/iV]) 

[©0£ = ©(MO {"KM = gfp(A^V e p(T)#]£LY/JV]) 

where the corresponding temporal transformers are defined as follows: 

- For any S G p(§), f{sj = cr) G T | cr^ G S} is the 5-state model, i.e., the set 
of traces whose current state belongs to S. 

- For any t G p(§ x §), 7r n t n = {(i,cr) G T | (<7j, <r,+i) G i} is the i-transition model, 
i.e., the set of traces whose next step is a i-transition. 

- ffi : p(TT) — > p(T) is the next-time or predecessor transformer: 

©(X) = {(i - 1, a) G T | (i, <r)eX} = {{%, a) G T | (i + 1, a) G X}. 

- ^ : p(T) — > p(T) is the reversal transformer: 
^(X) = {{-i, Xk.a- k ) G T | (i, a) G X}. 

- -i : p(T) — > p(T) is the complement: 

->X = T \ X. 

- Given s G S, (-^ : p(T) — > p(T) is the state projection operator: 

X la 1*{{i,v)eX\a i = 8}. 

- V : p(T) x p(T) — > p(T) is the universal quantifier: 

V(X,Y) d ^ {{z,a} eX\X lai CY}. 

If G £^ is a closed formula then the semantics is independent from the environment 
£ and thus we simply write [</>]. 

The time-reversal operator of the ft -calculus allows to express both backward and for- 
ward time modalities. Standard linear and branching temporal specification languages like 
(past and future) LTL, linear ^-calculus, CTL*, CTL, etc., can all be expressed as suitable 
fragments of the -calculus, since the standard missing operators can be defined as derived 
operators. Let us see some examples. 

- Previous-time (or successor) e: 0(X) = ^(©(^(X ))) = {(i + 1, a) G T | (i,a) G 
X} = {(i,a)£T\(i-l,a)£X}. 

- Forward sometime (or finally) F: F(X) = lfp(AY G p(T).XUffi(T)) = U„ eN ffi"(X). 

- Forward globally G: G(X) = gfp(AF G p(T).X n ©(F)) = n neN ffi"LY). 

- Backward sometime F_: F_(X) = ^(F(^(X))) = U neN Q n (X). 

- Backward globally G_: G_(X)=^(G(^(X))) = D neN Q n (X). 

Thus, traces in a model can be defined as S-k^ = G(tz^) A G_(7r^), so that 
./#-> = [11371%]. Therefore, standard universal quantification in ^#_> can be defined as 
V</> = V (Stt^) : (f>, while existential quantification is defined by 3<t>\ : </>2 = ->(V(/>i : -^2). 

In this framework, the trace-based model checking problem is as follows. Let Ji^ be 
a model and <f> G £^> be a closed temporal specification. Then, the universal (existential) 
model checking problem consists in determining whether C [</>] ([</>] n 7^ 0). 
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2.4 State-based model checking abstraction 

Cousot and Cousot [10] show how states can be viewed as an abstract interpretation of 
traces through universal or existential checking abstractions. This abstraction from traces 
to states induces a corresponding state-based model checking problem which is an approx- 
imation of the concrete trace-based problem. 

2.4.1 Universal checking abstraction 

For the universal model checking problem, the right notion of approximation is encoded 
by the superset relation. In fact, if [•]" is an approximated semantics such that [(/>]" C [(/>] 
for any 0, then the universal abstract verification C [</>]t' entails the concrete one 
*^-> Q [</>]• Thus, [■]} C [-]| means that [-]| is abetter approximation than [•]', so that 
sets of traces and states are ordered w.r.t. the superset relation: (p(T), D) and (p(S), 3} 
play, respectively, the role of concrete and abstract domain. Let M C T be any given 
model, e.g. generated by a total transition system (S, — ►). Traces can be abstracted to states 
through the universal quantifier: a set of traces X C T is abstracted to the set of states 
seS such that any trace in the model M whose present state is s belongs to X. Formally, 
the universal checking abstraction a M : p(T) — ► p(S) is defined as follows: 

a ;(I) d = f { S €§|M ls CI}. 

Thus, cr M abstracts the trace-semantics [0] of some temporal specification (ft £ $ to the 
set of (present) states s which universally satisfy <j>, that is, such that any trace of M with 
present state s satisfies (j>. This map is onto (by totality of ->) and preserves arbitrary 
intersections, therefore it induces a a Galois insertion (a^ , p(T)d, p(S)d,7m) wnere 7M 
is the right adjoint. A set of states S E p(S) is viewed through the concretization map 7^ 
as an abstract representation for the set of traces in M whose present state belongs to S. 
Hence, the universal concretization 7^ : p(S) — > p(T) is defined as follows: 

jl I (S) = {(i,<j)eM\<j t eS}. 

For our purposes it is helpful to view the universal abstraction (a M , p(T)d, p(S)d, 7^) as 
a closure operator in order to make our analysis independent from specific representations 
of abstract domains of p(T). 

Definition 2.4. The universal checking closure (or simply universal closure) relative to a 
model M e p(T) is given by p y M = 7^ oa^e uco(p(T) 3 ). Thus, p y M = XX. {{i, a) e 
M I M i(Ji C X}. □ 

Notice that, due to the superset relation, p* M (X) C X. The intuition is that p\ I (X) 
throws away from X all those traces (i, a) either which are not in M — these traces "do 
not matter", since a^(-iM) = — or which are in M but whose present state cr, does 
not universally satisfy X. 

Let us observe that, for any S E £>(§), 7m is) = U s£ sM| 8 and that the set of fixpoints 
of pf 4 can be also characterized as follows: 

Pm = {ll(S) \SCS} (t) 
because p M = { 7m (a^(T)) | T E T} = {^ M (S) \ S E S}. 

Example 2.5. Consider the two states transition system in Example 1.1 generating the 
model Ji^ . Consider the set of traces depicted below where the arrows point to the present 
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state: 



a= ■•• 1 11 1 11 ••• 

l 

b= •■•1111111222 •■■ 

1 

c= ••• 1 1 1 2222222--- 
d= ••• 2 2 2 2 222 1 1 1 ••■ 

For the set of traces a and 6 the arrow moves over 1 while in c and d the arrow moves 

over 2. Let X = aUbUcUd. It turns out that (X) = a U b because: 

I 

- the trace •••222222-- - belongs to but it does not belong to X, so that 

- the traces in ci do not belong to so that d n (X) = 0. 

As a further example, let consider the formula (Bp G £^», where p = <T\. We have that 
\®p\ = ©M'-Op = {J(J)i\ \ {(i,cr) G {JK^)i\ | o-f+i = 2}. Therefore, it turns out 
thatpV(I©Pl) = 0- □ 

In the paper, we will make the following weak assumption on the universal closure. 

Hypothesis 2.6. For any universal checking closure p y M , the model M G p(T) is such that 
(i) for any s G S, |M is | > 1 and (ii) ®(M) = M = Q(M) and ffl(^(M)) = ^(M) = 

ec(M)). □ 

Hypothesis (i) means that for any state s, there exist at least two traces in M with present 
state s, while hypothesis (ii) means that M and its reversal ^(M) are closed for forward 
and backward time progresses. These conditions are obviously satisfied by any model 
generated by a total transition system (§,->). 

2.4.2 Existential checking abstraction 

The existential checking abstraction is defined by duality. In this case, the relation of 
approximation is set inclusion, because [</)] C [(/>]![ C \4>\\ an d W' H M ^ imply 
\4>\\ ("1 M 7^ 0. The Galois insertion (a^, p(T)c, p(§)c)7m) * s defined by duality as 
follows: 

o? M (X) = -.(<&(-.(*))) = {s G S | M is n X ^ 0} 

7^(S) = -^H*))) = {M G T | (M G M) => fa G S)}. 

The intuition is that o^ M abstracts a given trace-semantics [</>] to the set of states which 
existentially satisfy <f>. In this case, the existential checking closure relative to a model M 

is Pm = ill a M e UC0 (p( T )c), that is, 

plt(X) = {<*, a) G T | ((*, a) G M) M i(7i n X + 0} 
= {(i, a) G M I M lai nl^0)U -iM. 

Hence, pj^(X) adds to X any trace which is not in M — these are meaningless because 
a\[{—\M) = — and any trace in M whose present state existentially satisfies X. p\, L 
is dual to p M since p^ = —\ o p^ M o — i. In the following, we will consider the universal 
abstraction only, since all the results can be stated and proved by duality in the existential 
case. 
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2.4.3 State-based abstract semantics 

The universal abstraction for some model M (typically M = for some total transition 
system (S, -*■}) induces a state-based abstract semantics on p(S) of the J} -calculus which 
is obtained by applying standard abstract interpretation: basically, this amounts to abstract 
any trace transformer on p(T) by the corresponding best correct approximation on p(§) 
induced by the universal abstraction ck^/Tm- F° r example, the next-time transformer 
© : p(T) -> p(T) is abstracted to a M o © o 7^ : p(S) -» p(§). 

The general scenario is as follows. E s = X — > p(S) is the set of state environments. 
The state-based abstract semantics |-] M : — > E s — > p(S) is inductively defined by re- 
placing each trace transformer Tr : p(T) — > p(T) with its corresponding best correct 
approximation on states a M o Tr o 7 M : p(§) — ► p(S). The following lemma character- 
izes these best correct approximations. 

Lemma 2.7. 

(!) (^ M (cr m ) = S; 

(2) (7v m ) = {s G § | Vs' (a, a') G i}; 

(3) a M (7 M (Si) U ^ M (S 2 ))=S 1 US 2 ; 

(4) a v M ono 7 ; = -,; 

(5) a M o © o 7m = pTe^ 

(6) (7&0S))) = {s G 5 I M is = rM) is }; 

(7) aXf(V(7Xr(5i),7Xf(S 2 ))) = SinS 2 . 

Proo/ Point (1) is as follows: a M (o- { <j fr ) = {s G § | M is C {(i,cr) G T | ^ G S}} = 
{s £ S I ((i,a) G M & cr, = s) => cr, G S}. Since, by Hypothesis 2.6, |M is | > 1, we 
obtain that {s G § | ({i, a) G M & cr; = s) => a l G S} = S. 

Point (2) is as follows: c^(tt w ) = {s G § | C G T | (cr t ,a l+1 ) G 

i}} = {s G § | ((i, ct) g & <Ti = s) => (a u o- i+ i) G i} = {s G S | Vs' G S. s -> 
s' => (s, s') G i}- 

Point (3) is as follows: a M (7 M (Si) U 7&OS2)) = «m(7m(^i U S 2 )) = Si U S 2 . 
Let us consider point (4) and let us show that -ia M (-i7 M (S)) = S. By [10, Section 1 1.7], 
-1 o a y M = af f ~~ 1 so that we have that ~ ,q; m(~ , 7m(S)) = Q!m(7m(S)) = {s G 
§ I M is n 7m(S) ^ 0}. By exploiting Hypothesis 2.6 which guarantees that \M ls \ > 1, 
it is immediate to prove that {s G § | My n 7m (S) 7^ 0} = S. 
Point (5) is shown in [10, Section 11.2]. 

Point (6) is as follows. By [10, Section 11.7], a y M o ^ = a^ M . Thus, a M (^(7 M (S))) = 
{t G § I (-M) it C 7m (S)} = {i G § I -(M; t ) C U seS M is }. Since -(M it ) C M it iff 
~(M lt ) = M lt , we obtain that a* M (~(^ M (S))) = {s G S \ M ls = (~M) la }. 
Finally, point (7) is as follows. Observe that a M (V(7 M (Si), 7 M (S 2 ))) = {s G S | M is C 
{(i, cr) G 7m (Si) I (7M(5i))iffi C 7m(S 2 )}}- On the one hand, it is easy to check that 
Si (~l S2 C a M (V(7 M (Si),7 M (S 2 ))). The reverse inclusion follows easily by noting that 
Hypothesis 2.6 ensures that for any seS there exists some (i, a) G M^ s . □ 

By the above lemma, the abstract semantics |-]^ : — > E s —> p(§) is inductively 
defined as follows: 

M Vx = {s G § I Vs' G S. s -> «' (s, s') G t} 
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[®0Vx = p^(MVx) 

riVx=«vr(7irjMVx))) 

[/zX</>]^ x - lfp(A5 G p(S).[Cj?/5]) 
K-^lVx - gfp(A5 G p(S).[Cj?/5]) 

Thus, for any linear formula (f>, namely a formula <p with no quantifier, [</>]^ provides 
the state-semantics of the state formula <p y which is obtained from (f> by preceding each lin- 
ear temporal operator, i.e. next-time © and time-reversal ^, occurring in <p by the universal 
path quantifier V. 

The universal abstraction a y M is extended pointwise to environments a v M : E — > E s 
as follows: c*m(£) = ^ e ^• Q; X/(^(A'))- The correctness of the state-based semantics 
[•]^ is a consequence of its abstract interpretation-based definition: 

For any <j> G £^ and £ G E, a v M (HO 3 

This means that given any state s G Wm"m(6' it turns out that any trace (i,cr) in 
M whose present state is s satisfies <j>. Following the terminology by Kupferman and 
Vardi [17, 25], when ([<£]£) = Mm«m(0 holds for some <fi e the formula 4> 
is called branchable. In general, completeness does not hold for all the formulae of the 
^/-calculus, i.e. the above containment may be strict, as shown in the Introduction. This 
intuitively means that universal model checking of linear formulae cannot be reduced with 
no loss of precision to universal model checking on states through the universal quanti- 
fier abstraction. Consequently, it turns out that the universal abstraction is incomplete for 
some trace operators of the ^/-calculus. Cousot and Cousot [10, Section 11] identified the 
sources of this incompleteness, namely those operators Op of the ft -calculus such that (r M 
is incomplete for Op: next-time, disjunction, negation and time-reversal. Incompleteness 
of Pm w.r.t. time-reversal and negation is not explicitly mentioned in [10] and is shown by 
the following example. 

Example 2.8. Consider the two states transition system in Example 1.1. Let X = {(i,a) £ 
T | Vfc > i.a k = 1}, so that ^(X) = {(i,a) | Vfc < i.a k = 1}. Since (^) u % X 
and {J(^)yi % X, we have that p^(X) = and therefore P^(^(p^(X))) = 0. 
Instead, it turns out that Pjg {"^{X)) = This means that is not complete 

for^. 

As far as negation is concerned, consider any (i, a) G (e.g., (0, Afc G Z.l)) and 

{j, t) G {JZ^)i2 (e.g., (0, Xk G Z.2}), and let X = ->{{i, a), {j, r)}. Then, it turns out 

thatpV(^) = P^Aihvh&r)}) = > while pV(-PVW) = P^S^) = 
Pta W = so ^at completeness does not hold. □ 

Cousot and Cousot [10] provide some conditions on the incomplete trace operators that 
ensure completeness of p y M . As far as next-time is concerned, Cousot and Cousot show that 
completeness of p y M for © holds when the linear operator © is restricted to forward closed 
(i.e. future-time) formulae, namely formulae of the ft -calculus without time-reversal. On 
the other hand, when disjunction is restricted to have at least one state formula, i.e. a univer- 
sally quantified formula, it turns out that p y M is complete. These sufficient conditions allow 
to identify some complete fragments of the ^/-calculus. This is the case, for example, of 
the ^-calculus considered by Cousot and Cousot in [10, Section 13], where time-reversal 
is disallowed and disjunction is restricted to at least one state formulae. 

Completeness of p M is related to Maidl's [19] characterization of the maximum com- 
mon fragment LTLdot of LTL and ACTL, which is defined as follows: 

LTL dct 3 (j) ::= er s | ^(T S \ fa A fa | (cr s A fa) V (-><r s A fa) | 

©0 | U(<r s A fa, -.crs A fa) | W(<r s A fa,^cr s A fa) 
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where U and W denote, respectively, standard until and weak-until (i.e., W(0i, <j>2) — 
G0iVU(0i, 4>2)) operators. Obviously, LTLdct is a fragment of the ft -calculus. Maidl [19] 
shows that LTLdct = LTL n ACTL, namely for any <j) G LTL, there exists some ip £ 
ACTL such that a M ([0]) = M iff there exists some C G LTL dot such that [0] = [Q. 

Ranzato and Tapparo [23] show that the universal abstraction is complete for all the 
formulae of LTL det , namely for any G LTL dct , a M (M) = [flV Let LTL V = {(/>£ 
LTL | Q!m(M) = Mm) denote the set of branchable LTL formulae. Thus, we have 
that LTLdct C LTLy. Furthermore, the following converse holds: any branchable LTL 
formula is equivalent to some formula in LTLdet- In fact, if G LTL is branchable then, 
by Maidl's [19] Corollary 1, there exists some ip G LTLdct such that [</>] = [ipj. As a 
consequence, we obtain the following characterization of branchability for LTL formulae. 

Theorem 2.9. Let <j) G LTL. Then, there exists ( G LTLy such that = \Q\ if and only 
if there exists ip G LTLdct such that [0] = [ipj. 

Thus, LTLdet also provides a synctatic characterization for the set of branchable LTL 
formulae. 



3 Complete cores and shells for temporal connectives 



In the following, we will characterize the complete cores and shells of the universal abstrac- 
tion (r M for the following trace operators which are sources of incompleteness: next-time, 
disjunction and time-reversal. These complete cores and shells do exist because ©, U and 
^ are trivially continuous functions on the concrete domain p(T)^ so that we can exploit 
Theorem 2.1 in order to characterize them. As recalled in Section 2.2.3, complete shells 
may not exist and we show that this is indeed the case of negation. Let us observe that 
Theorem 2.1 cannot be applied in this case because negation is not continuous on p(T)d. 
On the other hand, the complete core for negation does exist. 

One remarkable feature of our approach lies in the fact that it is fully constructive, 
namely Theorem 2. 1 always provides complete cores and shells in fixpoint form so that we 
do not need to conjecture some abstract domain and successively to prove that it is indeed 
a complete core or shell. 

3.1 Negation 

Theorem 3.1. The complete shell of p M for —\ does not exist. 

Proof. Let us consider the simplest transition system ({•}, {• -> •}) consisting of a single 
state • and of a single transition • -> •. The only possible path is An G Z.« so that 
the model M generated by this transition system coincides with the set of traces, namely 
M = {(i,Xn.») | i G Z}. Thus, any set of traces can be simply represented by the 
corresponding set of present times, namely by a corresponding set of integers, so that the 
concrete domain p(T)d can be represented by p(Z)d and in particular M = Z. We also 
have that p y M = {0,Z}. 

Let Z ev and Z d denote, respectively, the set of even and odd intergers and consider the 
following two closures: for any X e p(Z), 



Let us note that p cv ,p d E uco(p(Z)^), because their images are closed under arbitrary 
unions, and that p cv , p Q d E Pm- Let us show that p cv is complete for -i (the case of p Q d is 
analogous). If X € {Z,0} then p ev {-iX) = p ev (->p ev (X)) trivially holds. If X G p(Z) 
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and X g {Z, 0} then 



Pcv(-PcvPO) = Pcv(-(^cv n x)) = Pcv (z od u -,x)) = 
z cv n (z od u ->x) = z cv n = p cv (^>Q. 

If Shell-, (p M ) would exist then we would have that p cv , p oc i C Shell-, (p^ ) , so that p ov U 
Pod E Shell-, (Pm). But p ov U p od = p M , so that we would have that Shell-, (p M ) = Pm 
which is a contradiction because p M is not complete for -i. □ 

Negation is antimonotone, however this is not why the corresponding complete shell 
does not exist. In fact, as a further remarkable example, we show that this is also the case 
for the "sometime" operator F, which is instead monotone. 

Theorem 3.2. The complete shell of p* M for F does not exist. 

Proof. Let us consider again the transition system ({•}, {• -> •}} used in the proof of 
Theorem 3.1 so that the concrete domain p(T)d can be represented by p(Z)i) and in 
particular M = Z. We also have that p M = {0,Z}, namely p M (Z) = Z, while if 
X C Z then p y M (X) = 0. Let us observe that for any k G Z, F([fc, +oo)) = Z, because 
for any z G Z there exists some m > i and m G [fc, +oo). 

It is now simple to observe that p M is not complete for F. In fact, for any k G Z, we 
have that p M (F([fc, +oo))) = P M (Z) = Z, while p^(F(p^([fc, +oo)))) = p^(F(0)) = 
Pm( ) = - It is also easy to note that F is not continuous on p(T) d : p| fcgZ F([fe, +oo)) = 
Z, whereas F(P| feeZ [fc, +oo)) = F(0) = 0. Hence, noncontinuity of F is consistent with 
Theorem 2. 1 . 

Let us now consider the following family of closures: for any k G Z and X G p(Z), 



r z ifx = z 

m j \ Xn[k,+oo) otherwise 



Let us note that pfe G uco(p(Z)d), because img(pfc) = {Z}U{X G p(Z) | X C [fc,+oo)} 
is closed under arbitrary unions, and that pk E Pm- Let us show that p^ is complete for 
F. LetX G p(Z). If X = Z then p k (F(X)) = p k (F(p k (X))) trivially holds because 
X = Z G pk- Thus, consider ICZ. We distinguish the following two cases. 
Case (i). Assume that for any j G Z, X n [j, +oo) 7^ 0. Then, we have that F(X) = Z 
because, by hypothesis on X, for any ieZ there exists some k G X such that i < k. More- 
over, F(pk(X)) = F(Xn[k,+oo)) = Z because for any i G Z, In [k, +00) n [i, +00) ^ 
0. Thus, in this case, F(X) =F(p k (X)), so that p fe (F(X)) = p k (F(p k (X))) = Z. 
Case (ii). On the other hand, assume that there exists some i G Z such that X +00) = 
0. Therefore, max(X) = n G Z so that F(X) = (—00, n]. Let us distinguish two cases: 
n < k and n > k. If n < k then p k (F(X)) = (-00, n] n [fc, +00) = 0, PfcpO = 
X n [fc, +00) = 0, so that p k (F(p k (X))) = 0. If, instead, n > k then p k (F(X)) = 
(—00, n]n[k, +00) = [k, n], Pk(X) = Xn[k, +00) so that max(pk(Xj) = n and this im- 
plies F(p k (X)) = (-00, n], from which p k (F(p k (X))) = (-00, n] n [k, +00) = [k, n]. 
Hence, summing up, we have shown that for any k G Z and X G p(Z), p k (F(X j) = 
p k (F(p k (X))), i.e. any p k is complete for F. If Shellp(p M ) would exist then we would 
have that for any k, p k C Shell F (p M ), so that U feeZ p fe □ Shell F (p M ). Butimg(U fceZ p fe ) = 
f| fceZ img(p fe ) = {0,Z} = img(p M ), so that we would have that Shell F (p M ) = p y M 
which is a contradiction because p M is not complete for F. □ 

The above proof also shows that F is not continuous on p(T)o, so that noncontinuity 
of F is consistent with Theorem 2.1. 

Although negation is not monotone, it turns out that the core of p M for -1 exists even if 
we cannot exploit Theorem 2.1 in order to obtain a constructive characterization of it. This 
core results to be the greatest totally uninformative closure. 
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Theorem 3.3. Core_,(p^) = XX. 0. 

Proof. Let rj G uco(p(T)d) such that p v M C r?, so that, for any X, p v M (X) D T](X). By 
Hypothesis 2.6, for any s 6 S, we consider some (i,<7 s ) £ M± s , so that |Mj, a \ {(i, <r s )}\ > 
1. Consider F = {(i, cr s ) G T | s G S}. Then, we have that r}(->Y) C p^(-iF) = 0, so 
that ry(-iy) = 0. On the other hand, r)(Y) C p^ (F) = 0, so that 77(F) = and in turn 
r](—>r](Y)) = rj(—i0) = i](T). Thus, if r\ is complete for -1 then r;(T) = so that for any 
ICT, f?P0 C ?j(T) = 0. Hence, AX.0 is the unique closure which is greater than p y M 
and complete for -1, i.e., Core-,(/>M) = XX. 0. □ 

3.2 Next-time 

Let us first show the following easy properties of the predecessor and successor trace oper- 
ators. 

Lemma 3.4. 

(1) © : p(T) — > p(T) andQ : p(T) — > p(T) preserve arbitrary unions and intersections, 
and © _1 = © W G _1 = ffi. 

Le/ p G uco(p(T)d). Then, 

(2) p e r(p(T) 2 ,0) iff for alined and X G p(T), ©"(p(X)) = p(©™(p(X))); 

(3) p G r(p(T) 2 ,e) iff for all and X £ p(T), ©"(p(X)) = p(©"(p(X))). 

Froo/ (1): Clear. 

(2) and (3): Let us check that p G r(p(T) 2 ,©) iff for all n £ N and X G p(T), 
0™(p(X)) = p(© n (p(X))) (the remaining proof is analogous). Because, by (1), © is 
additive on p(T)d, by Theorem 2.1 and Remark 2.3, we have that p G T(p(T)d, ffi) iff 
{n{X G p(T) I ©(X) D Y}} Yep C p. By (1), ffi(X) D F iff X 3 0(F), and therefore 
p £ r(p(T) 2 , ffi) iff {0(F) I F G p} C p, and therefore, iff {©(p(X)) | X G p(T)} C 
p. Analogously, we get that, for any n G N, p G r(p(Tfb, ffi") iff {©"(p(X)) | X G 
p(T)} C p. Thus, property (*) in Section 2.2.2 closes the proof. □ 

Let us recall from [10] that p\j is complete for © when © is restricted to forward 
closed set of traces, namely if X G p(T) is such that X = ¥d{X) then Pm(®P0) = 
Pm{®{Pm{X))). This implies that for forward or state closed specification languages, 
namely languages with no past-time modality like LTL and CTL*, the universal abstraction 
is already complete for the next-time trace transformer. The situation changes in the general 
case of the ^? -calculus, where p y M is incomplete for next-time. 

3.2.1 Complete core 

By exploiting the constructive method provided by Theorem 2. 1, the set of fixpoints of the 
complete core Coic§(p y M ) is first characterized as follows. 

Theorem3.5. The set of 'fixpoints of 'Corc e (p^) is {Y G p(T) | Vfc £ N. Q k Y = p v M (G k Y)}. 

Proof. By Theorem 2.1 and Remark 2.3, Core0(p^) = U iG NL^(p'^ f ). Thus, F G 
Core ffi (p^) oVj £ N.F G L^(p^). Moreover, by Lemma 3.4, we have that £©(??) = 
{F G p(T) n{Xe p(T) I X D QY} G 77} = {Y G p(T) | ©F £ 77} = {F £ 
p(T) I GF = t?(©F)}, and therefore, for any i G N, F G L l ffi (p^) <^> ©*F = p^(G'F). 
Therefore, the thesis follows. □ 

The following result provides a further useful characterization of the complete core 
based on the structure of the transition system. We use the following notation: given a 
transition system (§, and states r,s£§, for any k > 0, r As iff r = r$ -> n -> r2 -> 
. . . -> rfe = s, where {n , .. ., rfc_i } C §. Moreover, we consider the following property P_ 
for any SC§: 

P_XS) iff 3k > 0,q £ S,r G § \ S,t £ S. q^t and rA/j. 
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Theorem 3.6. Let M = Ji^, for some total transition system (S, ->). Then, for any S C §, 
7 M (S) £ Core©(^) 

Proof. (-4=) Assume that there exist t>0,5eS,r£§\S,teS such that g At and r —*t. 
By Theorem 3.5, it is enough to show that Q k (l) seS M ls ) D p v M (Q k (U seS M ls )). Since 
qAf and (S, ->) is total, there exists (j, f ) £ M such that 7Tj = q and 7Tj + fc = t. Since 
<7 G 5, we have that (j,ir) G U seS M is and therefore (j + k,n) G Q k (U seS M ls ). On 
the other hand, since rAt and (S, ->) is total, there exists (Z, r) £ M such that n = r and 
77 +fe = t = ir j+k . Thus, (/ + k, t) G M^ j+k , while (I + k, t) Q k (U seS M ls ) because 
Ti = r £ S. Thus, by definition of py, this means that (j + k,n) £ py(Q k (\J se sMi s )). 
(=>) By Theorem 3.5, there exist k > and (j, /3) such that (i) {j, (3) e G fc (U se s M^) and 
(ii) 0',/3) A(G fe (U seS M is )). Thus, by (i), (j — k,/3) G U seS M ls , i.e., G S. 
Moreover, by (ii), M ll3] % Q k {{J seS M ls ), so that there exists (l,n) G M such that 
tti — (3j and (/ — k, n) (£ U se sM^ s , i.e., -ni-k & S. Summing up, we have that 7T;_fc— >7T;, 
Pj-k^ni, n-k $ S and fc_ k G S, that is P_(S). □ 

Thus, by the characterization ($) in Section 2.4.1 of p v M stating that {"Ym{S)}scs is 
the set of fixpoints of p y M , the above result characterizes exactly the fixpoints which must 
be removed from p M in order to get the complete core Core©(p M ). As an immediate 
consequence of Theorem 3.6, observe that M G Core©(/? M ): in fact, by Theorem 3.6, 
M = 7 M (S) and PJS) is not satisfied. Let us also observe that P_(S) holds iff PJ^-iS) 
holds, so that 7^(5) ^ Core© (p^) <^> j y M h s ) # Core©(p^). 

Example 3.7. Consider the transition system in Example 1.1. We know that p y M = 

{7Xf(0),7Xf({l}),7Xf({2}),7Xf({l,2})}. Which elements are in Core©(^)? 7 ^(0) 
and 7^-({l,2}) always belong to Core©(/? M ). Moreover, note that 1— >2 and 2^2 so 
that £.({1}) holds. Hence, by Theorem 3.6, 7m({1}) and 7^f ({2}) do not belong to 

Core©(/^). □ 

By exploiting the above constructive result, we are also able to characterize the structure 
of transition systems whose models induce a universal closure which is complete for next- 
time. These are the transition systems (S, ->} such that -» is injective: the relation — ► is 
injective when 

Vr,s,t e§,.(r ^ t & s -> t) => r = s. 

Theorem 3.8. Let M = jft^,, for some total transition system (S, -»■}. Then, p* M is com- 
plete for © if and only if-* is injective. 

Proof- Pm is complete for ® iff Core©(pX/) = Pm iff Core e(PM) E P M iff Pm E 
Core©(/^). Thus: 

(=>) By hypothesis, for any s G S, 7m({ 5 }) G Core©^^). Thus, by Theorem 3.6, for 
any r,s,t G § such that r ^ s, we have that for any fc > 0, sAi implies ->(r— »t). Hence, 
for any r,s,i£§ and for any k > 0, r At and sAt imply s = r. Therefore, for k = 1, 
this implies that -> is injective. 

Let -> be injective. Let r,s,(6§ and fc > such that rAi and sAt, i.e., r — > n -> 
. . . -> rfe-i -> i and s -* s\ . . . -> Sfe_i -> i. Then, by injectivity, rfe_i = Sfe-i, 
and in turn, still by injectivity, r^-i = Sfe-2, and so on, so that we get r = s. Hence, 
for any r, s, t 6 §, for any k > 0, sAt and rAt imply r = s. This means that, for any 
s G S, J^({s}) does not hold. Thus, by Theorem 3.6, 7m({s}) G Corc©^). Since 
Core©(/9^f) is a uco on p(T)^>, its set of fixpoints is closed under arbitrary set-unions. 
Moreover, since 7^ is co-additive on p(S)d, we have that 7^ preserves arbitrary set- 
unions. Thus, for any S C S, "Jm(S) = Li se slM ({ S D S Core©(pX/)- Thus, since 
Pm = {7m(5)}sc§, it turns out that p v M C Corc©( /9 ^). □ 

It is worth noting that injectivity means that each computation step is reversible, i.e. 
the reversed transition system (S, ^} obtained by reversing the transition relation is deter- 
ministic. This is the case of Bennett's reversible computations [1], i.e. computations whose 
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Figure 1 : A traffic light controller and its abstract version. 



output uniquely defines the input, which have been extensively studied by many authors in 
different contexts. Let us also observe that if s G § is a stalling state, i.e. such that s -> s, 
then the injectivity of the transition relation requires that t ■/* s for any t ^ s, i.e., s cannot 
be reached by any other state so that s must necessarily be an initial system state. 

Example 3.9. Consider a traffic light controller modelled by the transition system (S, ->) 
depicted in Figure 1 generating the model M. Then, (§, — >) is total and injective, and 
therefore, by Theorem 3.8, the corresponding universal closure is complete for next-time, 
so that Core© (p^) = p%. 

Consider instead the abstract transition system (S 1 * = {red, go}, -*•") induced by the state 
partition {{red}, {green, yellow}} (see [7] for an introduction to abstract model checking) 
and still depicted in Figure 1. In this case, (S",->") is total but it is not injective. Let 
M" be the model generated by (§", ->'). We exploit Theorem 3.6 in order to compute the 
complete core in this case. It turns out that red go and go->$go, so that P^t(red) and 
P_t{go) do not hold. Thus, in this case it turns out that the complete core is trivial, i.e., 
Core©(p^) = {0,M»}. 

Let us also observe that any abstraction with at least two states of (§, ->) induces an abstract 
transition system for which the universal closure is not complete for next-time. This is not 
always the case for abstract transition systems. For example, in the case of an infinite 
counter modelled by a concrete transition system (8, ->) where § = Z and x -> y iff 
y = x+l, it turns out that both (§, ->) and the abstract transition system ({even, odd}, -^ p ) 
with^P ={odd — ► even, even — > odd}, obtained by the even/odd partition of integer 
numbers, are such that the corresponding universal closures are complete for 0: in fact, 
both transition relations are injective and therefore Theorem 3.8 applies. □ 

3.2.2 Complete shell 

By applying again Theorem 2.1, let us now characterize the set of fixpoints of the complete 
shell of the universal closure for next-time. 

Theorem 3.10. The set of fixpoints 0/ Shell© (p^) is Cl u ({e™(^) | n G N, X G p y M }). 

Proof. By Theorem 2.1 and Remark 2.3, Shell© (p^) = riigN-R© (??)), where -R©(r?) = 
Cl u ({n{X G p(T) ®X D Y} I Y G rj}) = Cl u ({e(T) | Y G 77}). Moreover, for any 
i G N, R^in) = Cl u ({G i (F) | Y G rj}). Thus, it turns out that 

Shell© (pXf) = n ieN i?©(p^) 

= Cl u (U ieN Cl u ({&(Y)\Y epl})) 
= Gl u (U ieN {&(Y) I Y G pU) 

= Cl u ({© i (F) I i G N, F G Pm}). □ 

Thus, in order to minimally refine the universal closure p\j to a complete closure for 
the next-time ©, one must close the image of p\ { under the application of the inverse of 
©, i.e., the previous-time trace operator 0. 

As a consequence of Theorem 3 . 1 0, we can also provide a characterization of Shell© (p y M ) 
as a function. Given (i, a) G T, M G p(T) and k G Z, let us define: 

M i {i ,*)={(j,T)eM\T j+k = o- i+k }. 
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This is a generalization of the (current) state projection, since M\ iGi = M®^ > . In particu- 
lar, if k G N, ^ can be thought of as the fc-th past state projection of M. 

Theorem 3.11. Shell©(p M ) = XX.{(i,a) G M \ 3k G N. C X}. 

Proo/ By Theorem 3.10, we have that Shell©(p M ) = XX. U {Q n (Z) | n G N, Z e 
Pm . S™(^) C X}. Thus, let us show that for any ICT, 

U{e"(Z) | n G N, Z G p M , Q n (Z) CX} = {<*, a) G M \ 3k G N. M^* ff> C X}. 

(C): Let (i,o-> G n (Z), for some n G N and Z G p M such that 9 n (^) X. Then, 
(i - n, a) E Z and, since Z G p M > (* - Jl , cr ) G Let us show that M,," a) C X. 
Consider (j, r) G M such that Tj_„ = 0"j_„. Since {i — n, a) e Z and Z G Pm> we have 
that (j — n, r) G Z, so that (j, r) G Q n (Z). Hence, G"(Z) C X implies (j, t) G X. 
Q): Consider (i, cr) G M such that M"^ . C X for some fe > 0. We consider M ia ._ k G 
p M and we observe that (i,cr) G fc (M^ (Ti _ fc ). In order to conclude, let us check that 
e fc (M i(Ti _J C X. Consider (j, T ) G fe (M i(7 ._J, so that (j — k,r) G M iCT ._ fc . Hence, 
Tj_fc = C7i_fe, so that (j, t) G -^ui o-) Q X, and therefore (j, r) G X. □ 

Thus, for any X G p(T), Shell© (p M )P0 throws away from X all those traces either 
which are not in M or which are in M but any past or current state of the trace does not 
universally satisfy X. The intuition is that while the universal closure p M considers present 
states only (i.e., M^ ai C X), as expected, completeness for next-time forces to take into 
account any past state (i.e., 3k G N. ^ C X). Therefore, in order to design a suitable 
abstract domain for representing Shell© (p M ) we nee d " to prolong the abstract domain 
P(S)d in the past" as follows. 

Definition 3.12. Define p(S)'" = Z<o — ► p(§), where Z<o is the set of nonpositive inte- 
gers. Observe that p(Sf' is a complete lattice w.r.t. the standard pointwise ordering D. 
Given z G Z< , s G § and M G p(T), define M z [s = {(i,a) G M a l+z = s}. 
The mappings a® M : p(T) — > p^) 5 and 7® : p(§)' : ' — * p(T) are defined as follows: 

< f (X) d = f \z G Z< . {s G § | Mf s C X}; 

7 ® m (S) = {(1,(7) G M | 3fc G N. a 4 _ fe G S(-fc)}. □ 

Corollary 3.13. (oi® , PWs?' P(^)?'7vL) is a additionally a GI when M — 

/or some fotoZ transition system (S, ->), which induces the closure Shell® (p M ). 

Proo/ The fact that (a® M , p(T) 2 , p(Sf , 7 ® m ) is a GC/GI follows easily from the GC/GI 
(a^f , p(T)d, p(S)d, 7m )• Moreover, observe that 7® m o a® M coincides with the charac- 
terization of Shelly (p M ) given by Theorem 3.11. □ 

Hence, the state abstract domain p(S)d needs to be refined to a domain of infinite 
sequences of sets of states, namely the "prolongation" of 7^ in the past. We index the 
sequences £ G p(Sf' over Z< , so that for any and ieN, S(— i) G p(S) is reminiscent 
of a set of states at time — i G Z< . 

As a consequence, it is easy to design an abstract domain for representing the complete 
shell of the universal closure for both next- and previous-time. In fact, the prolongation of 
P(S)d both in the past and in the future leads to the GI (ay i p(T)d, p(§)^, 7v m )' wnere: 

a± M (X) d ^\z£Z. {s G § I Ml C X}; 

7± M (S) d ^ {{i, <r) G M I 3k G Z. ^ G S(fc)}. 

Example 3.14. Let us consider again the two states transition system in Example 1.1 and 
the formula ®Qp G where p = ct x . Observe that [0 9p] = [p] = Mp. The 
formula © 0p is not branchable, namely the abstract semantics of © Qp induced by p M is 
not complete. In fact, a M ([©©Pl) = I 1 } while [®©p1m = Pre^(post^(a M (M i i))) = 



20 



pre^posUU})) = Pre^U}) = 0- 

Let us check that for the above abstract domain p(S) w completeness does hold. In this case, 

the abstract semantics is as follows: [©Bp]^ = av M ©°7v M oa VM © 7vM 0a VM ( M li)- 
Hence, we have the following equalities: 

± CK/r \l \ f if z < 
avM (M u )W = ( {1} ifz > Q 

7v ± „K M ( M ii)) = M ii 

e(7v„ K„ ( M ii))) = M H U {M G M | <7i = 2, = 1} 

7v M « M (e(7v M « M (^u))))) = M ii u (M e M | ^ = 2, ^ = 1} 
®(7v ± M «(e(7v ± M K M (M u )))))) = M u 
As a consequence, it turns out that 

<,([©e P ]) = <,(m u ) = a ± M (©( 7v ± M ( a ± M (e( 7 ± M K M (M u ))))))) = [©epfe 

namely completeness holds for this abstract domain. □ 



3.3 Time reversal 

Let us now analyze the time reversal operator. The universal abstraction for the reversed 
model is characterized as follows. Of course, notice that if M is generated by a 
transition system (S, ->) then is the model generated by the reversed transition system 

<§,->• 

Lemma 3.15. pt, M = /1 op^ f o /1 . 

Proof. Let us show that ^(p v M (^X)) = pU M {X). Let (i,a) G ^(p v M (^X)). Then, 
^(i, a) G p* M (^X), and therefore ^(i, a) £ M and M i(Ti C This implies (i, a) £ 
and ^(M i<Ti ) C X. Since ^(M i<Ti ) = C~W) i<Ti , this means that (i, cr) £ pL M (X). 
On the other hand, the previous implications actually are equivalences, and thus the reverse 
inclusion simply follows by going backward. □ 



3.3.1 Complete core 

Theorem 2. 1 allows us here to show that the complete core is given by those fixpoints of 
p\j which also belong to the universal closure pL M relative to the reversed model ^M. 

Theorem 3.16. The set of fixpoints o/Core^p^ ) is {Y G p(T) | Y, G p y M }. More- 
over, Gotc^(Pm) =PmU p^, M . 

Proof. By Theorem 2.1 and Remark 2.3, we have that Goie^(p y M ) = Lii e mL l ^(p\j), 
where L^{rj) = {Y G p(T) | n {X G p(T) | D y} e 77}. Since D 

y X D ^y, we have that L^(v) = {Y G p(T) | ^y G r?}. Thus, for any 
j > 0, L«(pXf) = /4 and L^+Hpm) = MPm)- Hence, U^L^Pm) = P V M U 
l APm) = { Y e p(T) I y ^y G p^}. Moreover, let us observe that ^ep v M 
Pm( *1 = ^y ^ ^(PmC"^)) = Thus > b y Lemma 3.15, ^y G p^ «• y G P-m- 
and thus we also have that Core^(p^ / ) = p y M U pL M . □ 
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This allows us to give a characterization of the transition systems that induce universal 
closures which are complete for time reversal. It turns out that these are the symmetric 
transition systems: a relation -> is symmetric when Vr, s 6 §. r -> s => s^r. This means 
that in symmetric transition systems any computation step is reversibile. 

Corollary 3.17. Let M = . // . for some total transition system (§, ->). Then, p M is 
complete for ^ if and only if is symmetric. 

Proof. Let us first observe that -» is symmetric iff M = ^M. Let us show that pU M E 
pfj => M = ^M: we have that = pL M {T) D p y M (Y) = M, and in turn, by 
applying ^, M D ^M, that is = M. Thus, pl M C p^ ^> M = ^M. Moreover, 
by Theorem 3.16, p* M is complete for ^ iff Core^(p^) = p y M iff C p* M . Hence, 
this closes the proof. □ 

Thus, in practice, the universal closure is rarely complete for time reversal, since sym- 
metry is not a realistic condition for most systems. 

Example 3.18. Consider the abstract counter and the abstract traffic light controller in 
Example 3.9. The transition relations of both systems are symmetric, so that, by Corol- 
lary 3.17, the universal closure is complete for time reversal. This is not the case of the 
concrete three-state traffic light controller, since the transition relation is not symmetric. 
Observe that the model generated by this transition system is as follows: 

M = {(«,••• red green yellow red green yellow ■ ■ ■) \ i G Z}. 

Thus, for any Y C M, Y, ^Y G p y M holds if and only if Y = 0. Therefore, by Theo- 
rem 3.16, Core^(pXf ) = {0}, i.e., the complete core is the trivial abstract domain repre- 
senting no information. □ 



3.3.2 Complete shell 

Let us now apply our constructive approach to characterize the complete shell. 

Theorem3.19. The set of fixpoints of Shell^^) is Cl u (p^ U{Fe p(T) | ^Y G p v M }). 
Moreover, Shelly {p y M ) = p y M n pt M . 

Proof. By Theorem 2.1 and Remark 2.3, Shelly (p v M ) = n ieN R^(p v M ), where R^(rj) = 
Cl u ({n{X G p(T) | ^X D Y} I Y G r]}) = C1 U ({^F I Y e V }) = C\ U ({Y | ^Y £ 
i]}). Since ^ preserves arbitrary unions, for any j > 0, R 2 ^{p y M ) — p y M and R 2 i +1 {p M ) = 
RAPm)- Hence, n ieN i^(p^) = ^n^) - C\ J (p y M U {Y \ ~^(Y) G Pm}). 
Moreover, as observed in the proof of Theorem 3.16, ^Y G p M <^> ^(p\i(^Y)) = Y, 
and therefore, by Lemma 3.15, R^,(p\ I ) = pL M , so that we obtain that ShelL^(p M ) = 
Pm n P^m- ' ' □ 

It is therefore simple to design an abstract domain for representing this complete shell. 
We consider the abstract domain p(§)^ as related to the concrete domain p(T)d by the 
following abstraction and concretization maps: 

a^ M ^\X.(al(X),c& M (X)y, 

7 f M = X(X U X 2 ). lM {Xi) U ~fl M (X 2 ). 

As a consequence of Theorem 3.19, it turns out Shelly (p M ) is the closure induced by the 
GI {oty M , p(T)d, ^(8)3,7^). Thus, the above result tells us that completeness for time 
reversal requires an additional component taking into account the universal abstraction for 
the reversed model '^M. 
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3.4 Disjunction 



Finally, let us consider disjunction, namely set-union in the concrete domain p(T). 

3.4.1 Complete core 

Theorem 3.20. Corey (p^) = A ^- - 

Proof. By Theorem2.1 and Remark2.3, we have that Coreu(pXf) = L^N-^u (Pm)> where 
L u (r]) = {Y e p(T) | {D{Z e p(T) \ZUX D Y}} XeUV C r?}. Note that, for any 

i,Ye p(T), n{z e p(T) | zui d y} = Y n-.x and | y = e p(T) |zcy} = 

{Y n^X \ X £ p(T)}. Thus, Lu(»?) = {Y e p(T) | | Y C 77}. Also, let us observe 
that L u {rj) C 77 and j iu(?7) = L u {rj), so that, for any i > 2, L l u (p* M ) = L u (p y M ), and 
therefore U ieN L l y(p^) = {Y e p(T) j Y C p y M }. Consider now some 1" G p(T) such 
that I Y C p^. Then, Y e p^, so that there exists some SC§ such that Y = 7^(6'). 
If s e 5 then there exists some (i, a) G M^ s C 7^(5), so that C y. It turns out 

that {(i,cr)} Pm because TmCI^}) = M l<x, and, by Hypothesis 2.6 (i), \M^ ai \ > 1. 
This means that if S ^ then J. Y $Z Pm- Thus, Corey (p^f) = { }> i- e > the core is the 
top closure XX. 0. □ 

The greatest closure XX. represents the straightforward uninformative abstract do- 
main consisting of a unique abstract value which is the abstraction of any concrete value. 
The above result states that there is no further abstraction, but for the straightforward ab- 
straction, of the universal abstraction which is complete for disjunction. As a consequence, 
we will prove later that any abstraction, but for the straightforward one, of the state-based 
model checking for a temporal calculus that includes an unrestricted connective of disjunc- 
tion is incomplete for the trace-based semantics. 



3.4.2 Complete shell 

Theorem 3.21. Shelly (p V M ) = XX. X n M, so that the set offixpoints of Shelly (p y M ) is 
{X e p(T) I X C M}. 

Proof. By Theorem 2.1 and Remark 2.3, Shell u (p^ f ) = rij e N.Ry (p M ), where R\j(rj) = 
Cl u ({n{X e p(T) I X U Y D Z}} Yep(Th zen) = ^l u ({z n -Y | Y e p(T), Zer,}) = 
C\ V ({Z n Y I Y e p(T), Z E 77}). Thus, we have that n ieN i?y(pX f ) = Ru(Pm)- It re- 
mains to observe that C1 U ({Z n Y \ Y e p(T), Z e rj}) = {X e p(T) X C M}: this 
is an immediate set-theoretic consequence of the fact that M 6 p y M and that if Z e p y M 
then Z C M. Moreover, let us also note that the set of fixpoints of XX. X n M is 

{X e p(t) I x c M}. ' □ 

As a consequence, let us also notice that Shelly (p M ) is the closure induced by the 
GI (ay M ,p(Tb,p(Mb, 7 V M ), where c^ M d = f AX.X n M and 7^ = XX.X. Hence, 
the complete shell of the universal abstraction for the union is "essentially" the identity 
mapping. More precisely, for a given model M, the closure Shelly (p y M ) can be represented 
by the abstract domain p(M)d endowed with the abstraction map XX.XtlM which simply 
removes those traces which are not in M. This means that completeness for disjunction 
indeed requires all the traces in M. 

Once again the above complete shell was characterized by exploiting the constructive 
method in Section 2.2.3. This complete shell can be also obtained in a noncostrutive way. 1 

Lemma 3.22. Let X be any set and p € uco(p(X)d) such that p(M) = M. If p is finitely 
additive then for any Z C M, p(Z) = Z. 

'This has been suggested by one anonymous referee. 
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Proof. Assume by contradiction that Z C M is such that p(Z) C Z, and let x G Z \ p(Z). 
Then, a; £ M \Z, so that a; ^ p(M\Z). Moreover, since p(MnZ) C p(Z), we also have 
that x & p(M n Z). On the other hand, x G M = p(M) = p((M n Z) U M \ Z), so that 
p(MnZ)Up(M\Z) C p((MnZ)U(M\Z)), i.e., pis not additive, a contradiction. □ 

Let us observe that p G uco(p(T)d) is complete for finite set-union when for any 
I,ye p(T), p(X U Y) = p(p(X) U p{Y)) = p(X) U p(y), that is, when p is finitely 
additive. This observation allows us to show that Shelly (p^ ) = XX. X flMina noncon- 
structive way: by Lemma 3.22, since M G p\j C Shelly (/>m)> ^ turns out that for any 
X C M, X G Shcllu(pXf); hence, {X G p(T) I C M} C Shelly(p^), and since 
{X G p(T) | X C M } is (the set of fixpoints of) the closure XX. X n M which is finitely 
additive, i.e. complete for set-union, we have that Shelly (p^f) = XX. X n M. Let us re- 
mark that in this easy nonconstructive proof one first needs to guess some abstract domain 
and then to prove that this is indeed the complete shell. By contrast, our proof is easy as 
well and, more importantly, constructive so that it is enough to apply the methodology in 
Section 2.2.3 to characterize the complete shell. 

3.5 All the connectives 

To conclude our analysis, let us characterize the complete core and shell of the universal 
checking closure for all the connectives of the p* -calculus, i.e., the set TT of all the trace 
transformers. We need to take care of the following technicality. As far as the universal 
quantifier is concerned, the following restriction is needed. We just consider the unary re- 
strictions \X.V(N, X) : p(T) -> p(T), where N C M U ^M, because the binary trace 
transformer V : p(T) x p(T) — > p(T) is neither monotone nor antitone in its first argu- 
ment, while given any N G p(T), the unary restriction XX.V(N, X) is instead monotone. 
Standard universal quantification can be expressed, because, as recalled in Section 2.3, 
= V(Ett_>) : <t>, where [S(ti%)] = J(^. In the sequel, we will use the following 
compact notation: M* =MU ^M. Hence, the set of trace transformers of the p? -calculus 
is TT = {<T5}5ep(s) U {7r t } tep(S 2) U {©, U, -., ^} U {AA.V(A, X)} N cm* ■ As TT in- 
cludes negation which is antimonotone, observe that the existence of the complete core and 
shell of the universal closure for all the connectives is not guaranteed. However, since the 
complete core of p\ t for negation and disjunction is the greatest closure XX. (by Theo- 
rems 3.3 and 3.20), as a straight consequence we obtain that XX. is also the complete 
core of p v M for the set TT of trace transformers, that is CoreTT (Pm ) = XX. 0. On the 
other hand, the complete shell for all the connectives does exist and is as follows. 

Theorem 3.23. Shell T T(PM) = XX. X n M*, so that the set of fixpoints o/ShellTT^M) 
is {X e p(T) I X C M*}. 

Proof Let p = XX. X n M* and note that this is a closure on p(T) ^ . The following points 
show that p G T(p(T)d,TT). 

(1) p e T(p(T)d, {<t s }sgp(S) U {^t}te P (s 2 )) because cr s and iz t are 0-ary operators. 

(2) p G r(p(T)3,©). Since © preserves unions and intersections, given X G p(T), 

p(©(p(X))) = P {®{X) n (®(M) u ©r (M)))) = ©(A) n (©(M) u ©r(M))) n 

(M U ^(M)). Also, by Hypothesis 2.6 (ii), ffl(M) = M and ffi(^(M)) = ^(M), and 
therefore p(©(p(AT))) = ©(X) n (M U ^(M)) - p(©(A)). 

(3) p G r(p(T) 2 , U). In fact, p(p(A) U p(Y)) = p((X n M*) U (Y n M*)) = p((X U 

y) n m*) = (x u y) n m* = p(A u y). 

(4) p G r(p(T) 3 ,-i). In fact, p(->p(X)) = HA n M*)) n M* = ((-.x) n M*) u 

((-iM*) n m*) = (-,x) n m* = p(-iX). 

(5) p G r(p(T) 2 , ^). As ^ preserves intersections and, by Hypothesis 2.6 (ii), ^(M*) = 
M*, we have that p(^(p(X))) = p(^(X n M*)) =^(I)nM') =^(I)nM' = 

pr(x)). 

(6) p G r(p(T)D,{AX.V(A r ,X)} A rc M )- Let N C M and A G p(T), and observe that for 
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any (i, a) G N, we have that N lrTz CIn(M*)» (JV^ C X). Thus, p(V(AT, p(X))) = 

{(i,a) g TV | iV iCT . anM'jnif* = {(i,o-) g n | N llTi c i}nM* = p(v(N,x)). 

To conclude, consider any 77 G uco(p(T)3) such that r\ G T(p(T)^,TT) and rj C p^. 
Since 77 G r(p(T) 2 ,U), by Theorem 3.21, we have that 77 C Shellu(p^) = AX.XT n 
M. Moreover, 77 G r(p(T) 2 ,^), and hence, by Theorem 3.19, 77 C Shelly (p^) = 
Pm n P^m — /°^m- Thus, because 77 C p^ M and 77 6 r(p(T)D,"^), we have that 
7] C Shellu(p^ M ). By Theorem 3.21, Shellu(pl M ) = XX. X n ^(M), so that 77 C 
AX.JX n ^(M). Hence, we obtained that r\ C (AX.X n M) n (AXX n ^(M)) = p. 
Thus, ShellxT (Pm) = p. □ 

Let us observe that p(M*)d is a suitable abstract domain for representing this com- 
plete shell because the GI (ov M , p(T)d , p(M*)d , tv m ), where ay M = XX. X n A'/* and 
7v M = AX.X, induces the closure XX. X n M*. The abstract domain p(M*) therefore 
represents the traces of the system (S, — >} and of the reversed system (S, <— ). 

Let us remark that by exploiting the above results in Sections 3.1-3.4, it is not hard to 
characterize the complete shell of the universal abstraction for any subset of trace trans- 
formers. For example, when we leave out the reversal operator from TT, as one expects, it 
is easy to show that in this case ShellxT(PM) = XX. X n M. 



4 Completeness of temporal languages 

Let Op be any set of temporal connectives, where each op G Op has a corresponding arity 
tt(°p) > so that constants are viewed as connectives whose arity is 0. Following Cousot 
and Cousot [10, Section 8], Op induces a corresponding fixpoint temporal language £o P 
which is inductively defined as follows: 

£o P 3 <p ::= X \ op (0i, <j) n ) I (iX.<j) I uX.(j) 

where X G X and op G Op. Given any set of states 8 which determines a corresponding set 
of traces T, the semantics of any connective op with arity n > is given by a corresponding 
trace transformer op : p(TT)™ — > p(T). The set of trace transformers that provide the 
semantics of connectives in Op is denoted by Op. Hence, this determines a trace semantics 
of £o P , namely [•] : £o p — > E — > p(T), which is inductively (and, possibly, partially due 
to fixpoints) defined as follows: 

[X\Z = £(X) \MX.<f>]t = lfp(AAT G P (T).imx/m) 

[op(0i, = °f>(M£, [<A„]0 - gf P (AiV G p(T).[0]e[X/TV]) 

Thus, any abstraction of the concrete domain p(T) induces an abstract semantics for 
£o P • As described in Section 2.4.3, the universal abstraction provides an example: the state 
semantics [-J^ is the abstract semantics induced by p y M G uco(p(T3)). In general, any 
abstract domain p G uco(p(T)3) induces the set of abstract environments E p = X — > p. 
Hence, the abstract semantics |-] p : £o p — > W — > p is defined as follows: 

[*Fx - xPO M^Fx - ifp(A7V g p.[0Fx[^]) 

[op(0i, n )Fx - p(op([0iFx, .... I^nFx)) M^l'x - gfp(A^v g p.^FxI^]) 

Given a concrete environment £ G E, p(£) = f AX.p(£(X)) G E p is the corresponding ab- 
stract environment induced by p. Soundness of p for the language £op means that the 
abstract semantics [-F is sound, namely for any <p G £op and £ G E, p( [</>]£) C [0Fp(O- 
Completeness of p for £o p means that equality always holds. As usual, the abstract in- 
terpretation approach always ensures soundness, while completeness in general does not 
hold. 
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Given p G uco(p(T)d), the complete shell of p for £o P , when it exists, is the most 
abstract domain Shelly (p) G uco(p(T) d ) such that Shelly (p) C p and Shelly (p) is 
complete for £ 0p . Complete cores for £ 0p are defined dually. 

We recalled in Section 2.2.3 that if p is complete for some function / then p is also 
fixpoint complete for /. Thus, as a straight consequence we obtain that if p G uco(p(T)d) 
is complete for Op and either p does not contain infinite descending chains or p is co- 
continuous then p is complete for £o P - Moreover, it turns out that complete shells and cores 
for a temporal language Zo P coincide with complete shells and cores for the corresponding 
set Op of trace transformers. 

Theorem 4.1. Let p G uco(p(T)d). If Shcllo p (p) exists and either does not contain 
infinite descending chains or is co-continuous then Shelly (p) = Sheilop(p). 

Proof. As recalled above, since Shcllo P (p) is complete for Op, we have that Shcllo p (p) is 
complete for £o P - Moreover, She\lo P (p) E p. Let us consider any rj G uco(p(T)d) such 
that 77 C p and rj is complete for £o P - Let us check that rj is complete for Op. Consider 
op G Op and, for simplicity, assume that op is unary. Given T G p(T), we consider an 
environment £ G E such that £,(X) — T. Hence, by completeness of r\ for £o P , we have 
thatrKop(T)) = r?(op(e(X))) = »?([op(X)]0 = M*)P?KO = J7(op(r?(£(X)))) = 
rj(op(r](T))). Therefore, 77 C Shello P (p). This implies that Shelly (p) exists and 
Shell £o >) = Shcll 0p (p). ' □ 

Obviously, an analogous result holds for complete cores as well. This general result 
can be applied to the ^/-calculus. Recall that TT denotes the set of trace transformers 
of the ^/-calculus, where the universal quantifier is restricted to a unary operator. Let us 
denote by TT the corresponding set of temporal connectives of the ^/-calculus so that 
£tt C £^» is a slight restriction of the ft -calculus where universal quantifications are 
unary. Consider any set Op C TT of temporal connectives, that gives rise to the lan- 
guage £o P C Ztt, and assume that the complete shell Shcllop^Xf) °f the universal 
closure pf 4 for the trace transformers in Op exists. Then, by Theorem 4.1, it turns out that 
Shelley (p^ M ) = Shcllop(p^ f ). Analogously, this also holds for complete cores. Conse- 
quently, as far as the core is concerned, we have that 

Core £rr (p^) = XX. 0. 

On the other hand, by Theorem 3.23, it turns out that 

Shell £TT (p^) = XX.XDM*. 

Thus, in general, in order to obtain the complete shell/core of the universal closure for 
some fragment £o p of the ft -calculus it is enough to characterize the complete shell/core 
for the corresponding set Op of trace transformers. For example, if Op includes arbitrary 
disjunction but does not include time reversal, so that £o P is a future-time language, by the 
result mentioned at the end of Section 3.5, we have that Shelly (p\ t ) = \X.X n M. 

5 Conclusion 

This paper studied the completeness of state-based w.r.t. trace-based model checking by 
using a body of techniques based on abstract interpretation. By using a slogan, this study 
showed that "f/ze state-based model checking is intrinsically incomplete w.r.t. trace-based 
model checking", since no refinement or abstraction of the standard state-based semantics 
for model checking induced by the universal/existential abstraction of past- and future- 
time specification languages can lead to a semantics whose corresponding model checking 
is complete for the trace semantics of the specification language. 
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The results of this paper suggest some research directions. An abstract interpretation- 
based approach to model checking for modal Kripke transition systems has been studied by 
Huth et al. [15]. It is then interesting to investigate whether the framework of modal transi- 
tion systems based on three-valued logics affects the incompleteness of states w.r.t. traces. 
In view of the characterizations of transition systems provided by Theorem 3.8 and Corol- 
lary 3.17, it is also interesting to determine fragments of ^-calculi and classes of transition 
systems such that the universal/existential abstraction results to be complete. Finally, it is 
certainly interesting to investigate how completeness of state-based abstractions interacts 
with the presence of spurious counterexamples in abstract model checking. The works by 
Clarke et al. [3, 4, 5] on spurious counterexamples originated from the idea of systemically 
refining abstract models in order to enhance their precision. A spurious counterexample is 
an abstract trace which is an artificial counterexample generated by the approximation of 
the abstract model checker, namely there exists a concrete trace approximated by the spu- 
rious counterexample which is not a real counterexample. Clarke et al. devised a method- 
ology for refining an partition-based abstract model relatively to a given temporal specifi- 
cation by using the spurious counterexamples provided by the abstract model checker on 
4>. The relationship between spurious counterexamples and the trace-semantics of temporal 
calculi has not been investigated from an abstract interpretation-based perspective and we 
believe that the results of this paper might shed some light on these issues. 
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